feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24
• Updated workflow files with configurable node_version input

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review

I've completed a comprehensive review of PR #29 against StepSecurity maintained action standards.

Review Summary

Action Type: ✅ Node.js-based action (confirmed)

✅ COMPLIANCE PASSED

General Action Requirements - All Met ✅

• License: ✅ Present with both original author (Dave Olsthoorn) and StepSecurity copyright
• Author in action.yml: ✅ Set to "step-security"
• SECURITY.md: ✅ Present and properly configured
• Required workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present
• Forbidden files: ✅ No FUNDING.yml, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/, or renovate.json found
• README banner: ✅ StepSecurity maintained action banner present at top of README
• Semver usage: ✅ All examples use major version (@V3) correctly

Node.js Specific Requirements - All Met ✅

• Author in package.json: ✅ Set to "step-security"
• Repository field: ✅ Correctly points to step-security/setup-android
• Dependencies: ✅ All dependencies appear to be used (axios, @actions/core, @actions/tool-cache)
• dist/ folder: ✅ Present with compiled index.js
• Build script: ✅ npm "build" script present in package.json

Subscription Check Implementation - Perfect ✅

• URL: ✅ Correctly uses https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• Upstream variable: ✅ Correctly set to "android-actions/setup-android" (matches auto_cherry_pick.yml original-owner/repo-name)
• Public repo handling: ✅ EXCELLENT - New logic correctly skips API call for public repos (if (repoPrivate === false) return)
• Error handling: ✅ Proper 403 handling and timeout management
• User messaging: ✅ Clear, informative messages with proper coloring

Security Assessment - Clean ✅

• No vulnerabilities detected: Code follows security best practices
• Input validation: ✅ cmdline-tools-version properly validated against path traversal
• No secrets exposure: ✅ No hardcoded credentials or sensitive data
• Safe file operations: ✅ Proper path handling and file system operations

Key Improvements in This PR

1. Public Repository Support: The subscription check now correctly identifies and exempts public repositories from API calls, making the action free for public use
2. Node.js 24 Upgrade: Successfully upgraded runtime from earlier version to node24
3. StepSecurity Branding: Proper banner placement and clear messaging
4. Enhanced User Experience: Better informational output with color coding and clear explanations

Recommendations

This PR is ready for merge - it meets all StepSecurity maintained action standards and implements the intended functionality correctly. The code quality is high, security practices are followed, and all compliance requirements are satisfied.

No issues found - This is a well-implemented update that enhances the action while maintaining full compliance with organizational standards.